The National Bureau of Investigation (NBI) has completed a preliminary investigation into the suspected data protection offences related to a massive data breach at the privately-run psychotherapy centre Vastaamo.
The NBI suspects three individuals of gross negligence in the processing of personal data. The suspects were responsible for the company's data security and protection. The case will head to the National Prosecution Authority for consideration.
News of the data breach at the firm first surfaced in October 2020, when the company announced that sensitive patient data was leaked after a hack of its database.
"The investigation is looking into the state of security and data protection of personal data and sensitive information before and after the data breach at Vastaamo. The preliminary investigation has been demanding because it has involved a lot of technical data collection and examination," Marko Leponen, who led the investigation on behalf of the NBI, said in a statement issued on Monday.
The preliminary investigation heard statements from several witnesses and reached out to data security experts for related information.
Police said all three suspects have denied the allegations.
Data breach investigation led outside Europe
The company has said that it was the target of data breaches in November 2018 and March 2019.
In October 2020, the privately-run centre announced that sensitive information of about 30,000 patients had been stolen by hackers who then tried to extort money from the company and its customers. Information entered into their system after 2018 had not been compromised.
Vastaamo filed for bankruptcy in early 2021.
Authorities have said that due to the gap in time between the data breach and the extortion, the perpetrators of each of those crimes may not be the same.
Investigation director Leponen told Yle that the investigation into the data breach is progressing. As of now, the main line of inquiry points outside of Europe. It is possible that the perpetrator could be Finnish despite the traces leading abroad, according to Leponen.